Upload 🏆 Login

🔒 Privacy Policy

Last Updated: January 25, 2026

🇪🇺 GDPR Compliance

RateMyBody operates in Finland and complies with the General Data Protection Regulation (GDPR) and Finnish Data Protection Act. This privacy policy explains how we collect, use, and protect your personal data in accordance with EU law.

Data Controller: RateMyBody, Finland

Legal Basis for Processing: Consent, contract performance, legal obligations, and legitimate interests

1. Information We Collect

1.1 Account Information

  • Username and display name
  • Email address
  • Password (encrypted)
  • Date of birth
  • Gender and country
  • Profile information and bio

1.2 Uploaded Content

  • Photos and images you upload
  • Photo titles and descriptions
  • Category selections
  • Upload timestamps

1.3 Activity Data

  • IP addresses
  • Browser type and version
  • Device information
  • Pages visited and actions taken
  • Ratings and votes given
  • Login times and session data

2. How We Use Your Information

  • To provide and maintain our service
  • To verify age requirements
  • To prevent fraud and abuse
  • To enforce our Terms of Service
  • To comply with legal obligations
  • To improve user experience
  • To communicate with you about your account
  • To promote and grow the service (for example, featuring publicly posted content in promotional materials as described in our Terms of Service)

3. Data Retention

We retain your data:

  • Account data: Until you delete your account
  • IP logs: For security and legal compliance (typically 90 days to 1 year)
  • Deleted content: May remain in backups for up to 90 days
  • Legal hold data: Retained as required by law or valid legal process

4. Data Sharing

We do not sell your personal information.

We may share your information only in the following circumstances:

  • Law enforcement: When required by valid legal process
  • Safety: To prevent harm or illegal activity
  • CSAM reports: Required reporting to NCMEC and authorities
  • Service providers: Trusted partners who assist in operating our service

5. Your Rights Under GDPR

As an EU-based service, we provide you with comprehensive data protection rights:

5.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, access to that data and information about the processing.

5.2 Right to Rectification (Art. 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data and to have incomplete data completed.

5.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data without undue delay where:

  • The data is no longer necessary for the purposes collected
  • You withdraw consent and there is no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased for compliance with a legal obligation

Note: This right may be limited where retention is necessary for legal compliance, establishment of legal claims, or other lawful purposes.

5.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to restrict processing of your personal data in certain circumstances.

5.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

5.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

5.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time.

5.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, workplace, or where an alleged infringement occurred.

Finnish Data Protection Authority:
Office of the Data Protection Ombudsman
Website: tietosuoja.fi
Email: tietosuoja@om.fi

How to Exercise Your Rights

To exercise any of these rights, contact us using our Privacy Request Form or Data Protection Officer

We will respond to your request within one month as required by GDPR (extendable by two additional months for complex requests).

6. Security

We implement industry-standard security measures including:

  • Encrypted passwords using Argon2ID
  • Secure HTTPS connections
  • Regular security audits
  • Access controls and monitoring

7. International Data Transfers

Data Location: Your data is primarily stored on servers located in Finland (EU).

If we transfer your data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Adequacy decisions by the EU Commission
  • Your explicit consent where required

Currently, data processing occurs within the EU and we do not routinely transfer data outside the EEA.

8. Cookies and Tracking Technologies

Cookie Consent: In compliance with the EU ePrivacy Directive (Cookie Law), we obtain your consent before placing non-essential cookies.

We use cookies for:

  • Strictly Necessary Cookies: Session management, authentication, security (no consent required)
  • Functional Cookies: User preferences and settings (consent required)
  • Performance Cookies: Analytics and site improvement (consent required)

You can manage your cookie preferences at any time through your browser settings or our cookie consent banner.

9. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

  • Consent (Art. 6(1)(a) GDPR): For optional features and marketing communications
  • Contract Performance (Art. 6(1)(b) GDPR): To provide our service to you
  • Legal Obligations (Art. 6(1)(c) GDPR): For age verification, CSAM reporting, and compliance with Finnish/EU law
  • Legitimate Interests (Art. 6(1)(f) GDPR): For security, fraud prevention, and service improvement

10. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance.

To contact our DPO or submit privacy requests, please use our Contact Form and select the appropriate category (DPO, GDPR, or Privacy Request).

11. United States Privacy Rights

🇺🇸 US User Privacy Rights

While RateMyBody operates from Finland under EU law, we respect the privacy rights of our US users:

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the right to:

  • Know: Request disclosure of personal information collected about you
  • Delete: Request deletion of your personal information
  • Opt-Out: Opt out of the sale of personal information (Note: We do not sell personal information)
  • Non-Discrimination: Not be discriminated against for exercising your privacy rights
  • Correct: Request correction of inaccurate personal information
  • Limit: Limit use and disclosure of sensitive personal information

To exercise these rights, contact us using our California Privacy Request Form

Other US State Privacy Laws

We also respect privacy rights under:

  • Virginia CDPA: Virginia Consumer Data Protection Act
  • Colorado CPA: Colorado Privacy Act
  • Connecticut CTDPA: Connecticut Data Privacy Act
  • Utah UCPA: Utah Consumer Privacy Act

Residents of these states have similar rights to access, delete, correct, and opt-out of data processing.

Federal Privacy Protections

  • COPPA: We comply with the Children's Online Privacy Protection Act. Users under 13 require parental consent.
  • CAN-SPAM: All marketing emails include opt-out mechanisms and comply with the CAN-SPAM Act.
  • TCPA: We do not send unsolicited SMS messages and comply with the Telephone Consumer Protection Act.

12. International Data Transfers

Your data is primarily stored and processed in Finland (EU). When data is transferred to third countries, we ensure adequate protection through:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other legally approved transfer mechanisms

For US users: Data transfers are conducted in compliance with the EU-US Data Privacy Framework principles where applicable.

13. Contact Us

Data Controller: RateMyBody, Finland

For all privacy-related inquiries, please use our Contact Form and select the appropriate category:

  • Privacy inquiries: Select "Privacy / GDPR Request"
  • Data Protection Officer: Select "Data Protection Officer (DPO)"
  • GDPR requests: Select "Privacy / GDPR Request"
  • California/CCPA requests: Select "California Privacy Rights (CCPA)"
  • DMCA/Copyright: Select "DMCA / Copyright Takedown"

For all inquiries, you can also use our Contact Form.

Legal Entity: RateMyBody operates in Finland under EU law. We do not maintain a public postal address for privacy and security reasons. All communications should be conducted via our contact form.

Return to Home View Terms of Service